Merge branch 'aws:master' into fix-ecr-migration

Author: TheanLim

Diff for: CHANGELOG.md

@@ -1,4 +1,17 @@
 # Changelog
+# 1.92.0
+* Enhancement - Migrate ECS client to aws-sdk-go-v2 [#4447](https://github.com/aws/amazon-ecs-agent/pull/4447)
+* Enhancement - Update tcs api model to rename osFilesystem to rootFileSystem. [#4525](https://github.com/aws/amazon-ecs-agent/pull/4525)
+* Enhancement - Enhance unit test TestSetInstanceIdentity [#4533](https://github.com/aws/amazon-ecs-agent/pull/4533)
+* Enhancement - Increased container exit reason message size from 255 to 1024 characters [#4545](https://github.com/aws/amazon-ecs-agent/pull/4545)
+* Enhancement - Bump golang.org/x/net from 0.33.0 to 0.36.0 in /agent [#4532](https://github.com/aws/amazon-ecs-agent/pull/4532)
+* Enhancement - Migrate ACS over to AWS SDK Go V2 [#4534](https://github.com/aws/amazon-ecs-agent/pull/4534)
+* Enhancement - Migrate ASM to aws-sdk-go-v2 [#4556](https://github.com/aws/amazon-ecs-agent/pull/4556)
+* Enhancement - Add IPv4 and IPv6 detection to Agent [#4561](https://github.com/aws/amazon-ecs-agent/pull/4561)
+* Enhancement - Update Agent build golang version to 1.23.7 [#4563](https://github.com/aws/amazon-ecs-agent/pull/4563)
+* Bugfix - Update tcs api model to rename BytesUtilized to bytesUtilized [#4537](https://github.com/aws/amazon-ecs-agent/pull/4537)
+* Bugfix - Change back to having struct field pointers within TaskProtectionResponse [#4559](https://github.com/aws/amazon-ecs-agent/pull/4559)
+
 # 1.91.2
 * Bugfix - Revert "Migrate ECR client to aws-sdk-go-v2". [4539](https://github.com/aws/amazon-ecs-agent/pull/4539)
 

Diff for: GO_VERSION

@@ -1 +1 @@
-1.22.7
+1.23.7

Diff for: GO_VERSION_WINDOWS

@@ -1 +1 @@
-1.22.7
+1.23.7

Diff for: Makefile

@@ -395,7 +395,7 @@ install-golang:
 	go install github.com/golang/mock/[email protected]
 	go install golang.org/x/tools/cmd/[email protected]
 	GO111MODULE=on go install github.com/fzipp/gocyclo/cmd/[email protected]
-	GO111MODULE=on go install honnef.co/go/tools/cmd/staticcheck@2023.1.6
+	GO111MODULE=on go install honnef.co/go/tools/cmd/staticcheck@2025.1.1
 	touch .get-deps-stamp
 
 get-deps: .get-deps-stamp
@@ -404,7 +404,7 @@ get-deps-init:
 	go install github.com/golang/mock/[email protected]
 	go install golang.org/x/tools/cmd/[email protected]
 	GO111MODULE=on go install github.com/fzipp/gocyclo/cmd/[email protected]
-	GO111MODULE=on go install honnef.co/go/tools/cmd/staticcheck@v0.4.0
+	GO111MODULE=on go install honnef.co/go/tools/cmd/staticcheck@2025.1.1
 
 amazon-linux-sources.tgz:
 	./scripts/update-version.sh

Diff for: VERSION

@@ -1 +1 @@
-1.91.2
+1.92.0

Diff for: agent/acs/session/payload_responder.go

@@ -129,7 +129,7 @@ func (pmHandler *payloadMessageHandler) addPayloadTasks(payload *ecsacs.PayloadM
 		logger.Info("Received task payload from ACS", logger.Fields{
 			loggerfield.TaskARN:       apiTask.Arn,
 			loggerfield.TaskVersion:   apiTask.Version,
-			loggerfield.DesiredStatus: apiTask.GetDesiredStatus(),
+			loggerfield.DesiredStatus: apiTask.GetDesiredStatus().String(),
 		})
 
 		if apiTask.IsFaultInjectionEnabled() {

Diff for: agent/api/container/container.go

@@ -1486,7 +1486,7 @@ func (c *Container) getCredentialSpecFromCredentialSpecsContainerField() (string
 	c.lock.RLock()
 	defer c.lock.RUnlock()
 
-	if c.CredentialSpecs == nil || len(c.CredentialSpecs) == 0 {
+	if len(c.CredentialSpecs) == 0 {
 		return "", errors.New("empty container credentialSpecs")
 	}
 

Diff for: agent/api/statechange.go

@@ -521,7 +521,7 @@ func buildContainerStateChangePayload(change ContainerStateChange) (*types.Conta
 		stat != apicontainerstatus.ContainerStopped &&
 		stat != apicontainerstatus.ContainerRunning {
 		logger.Warn("Not submitting unsupported upstream container state", logger.Fields{
-			field.Status:        stat,
+			field.Status:        stat.String(),
 			field.ContainerName: change.ContainerName,
 			field.TaskARN:       change.TaskArn,
 		})

Diff for: agent/api/task/task.go

@@ -1702,8 +1702,8 @@ func (task *Task) updateTaskKnownStatus() (newStatus apitaskstatus.TaskStatus) {
 	logger.Debug("Found container with earliest known status", logger.Fields{
 		field.TaskID:        task.GetID(),
 		field.Container:     earliestKnownStatusContainer.Name,
-		field.KnownStatus:   earliestKnownStatusContainer.GetKnownStatus(),
-		field.DesiredStatus: earliestKnownStatusContainer.GetDesiredStatus(),
+		field.KnownStatus:   earliestKnownStatusContainer.GetKnownStatus().String(),
+		field.DesiredStatus: earliestKnownStatusContainer.GetDesiredStatus().String(),
 	})
 	// If the essential container is stopped while other containers may be running
 	// don't update the task status until the other containers are stopped.

Diff for: agent/api/task/task_test.go

@@ -59,7 +59,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ecs/types"
-	"github.com/aws/aws-sdk-go/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/go-connections/nat"
@@ -2716,8 +2716,8 @@ func TestPopulateASMAuthData(t *testing.T) {
 				ARN:                "",
 				IAMRoleCredentials: executionRoleCredentials,
 			}, true),
-		asmClientCreator.EXPECT().NewASMClient(region, executionRoleCredentials).Return(mockASMClient),
-		mockASMClient.EXPECT().GetSecretValue(gomock.Any()).Return(asmSecretValue, nil),
+		asmClientCreator.EXPECT().NewASMClient(region, executionRoleCredentials).Return(mockASMClient, nil),
+		mockASMClient.EXPECT().GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).Return(asmSecretValue, nil),
 	)
 
 	// create resource

Diff for: agent/app/agent.go

@@ -465,6 +465,8 @@ func (agent *ecsAgent) doStart(containerChangeEventStream *eventstream.EventStre
 		}
 	}
 
+	initializeIPCompatibility(agent.mac)
+
 	// Register the container instance
 	err = agent.registerContainerInstance(client, vpcSubnetAttributes)
 	if err != nil {
@@ -1269,3 +1271,15 @@ func contains(capabilities []string, capability string) bool {
 
 	return false
 }
+
+// Determines and sets IPv4 and IPv6 compatibility for the container instance.
+//
+// If there was a failure in determining IP compatibility then this function falls back
+// to default settings, that is, IPv4 compatible but IPv6 incompatible.
+func initializeIPCompatibility(mac string) {
+	if err := config.DetermineIPCompatibility(mac); err != nil {
+		logger.Warn("Could not determine IPv4 and IPv6 compatibility, falling back to defaults",
+			logger.Fields{field.Error: err})
+		config.SetIPCompatibilityToV4Only()
+	}
+}

Diff for: agent/asm/asm.go

@@ -14,19 +14,25 @@
 package asm
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 
 	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/service/secretsmanager"
-	"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/cihub/seelog"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/pkg/errors"
 )
 
+// For mocking purpose
+type SecretsManagerAPI interface {
+	GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
+}
+
 // AuthDataValue is the schema for
 // the SecretStringValue returned by ASM
 type AuthDataValue struct {
@@ -46,27 +52,23 @@ func augmentErrMsg(secretID string, err error) string {
 		logger.Warn("augmentErrMsg: SecretID is empty (which is unexpected)")
 	}
 
-	if aerr, ok := err.(awserr.Error); ok {
-		switch aerr.Code() {
-		case secretsmanager.ErrCodeResourceNotFoundException:
-			secretID = "'" + secretID + "' "
-			return resourceInitializationErrMsg(secretID)
-		default:
-			return fmt.Sprintf("secret %s: %s", secretID, err.Error())
-		}
+	var rnfe *types.ResourceNotFoundException
+	if errors.As(err, &rnfe) {
+		secretID = "'" + secretID + "' "
+		return resourceInitializationErrMsg(secretID)
 	} else {
 		return fmt.Sprintf("secret %s: %s", secretID, err.Error())
 	}
 }
 
 // GetDockerAuthFromASM makes the api call to the AWS Secrets Manager service to
 // retrieve the docker auth data
-func GetDockerAuthFromASM(secretID string, client secretsmanageriface.SecretsManagerAPI) (registry.AuthConfig, error) {
+func GetDockerAuthFromASM(secretID string, client SecretsManagerAPI) (registry.AuthConfig, error) {
 	in := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(secretID),
 	}
 
-	out, err := client.GetSecretValue(in)
+	out, err := client.GetSecretValue(context.TODO(), in)
 	if err != nil {
 		return registry.AuthConfig{}, errors.Wrapf(err,
 			"asm fetching secret from the service for %s", secretID)
@@ -81,7 +83,7 @@ func extractASMValue(out *secretsmanager.GetSecretValueOutput) (registry.AuthCon
 			"asm fetching authorization data: empty response")
 	}
 
-	secretValue := aws.StringValue(out.SecretString)
+	secretValue := aws.ToString(out.SecretString)
 	if secretValue == "" {
 		return registry.AuthConfig{}, errors.New(
 			"asm fetching authorization data: empty secrets value")
@@ -95,8 +97,8 @@ func extractASMValue(out *secretsmanager.GetSecretValueOutput) (registry.AuthCon
 			"asm fetching authorization data: unable to unmarshal secret value, invalid schema")
 	}
 
-	username := aws.StringValue(authDataValue.Username)
-	password := aws.StringValue(authDataValue.Password)
+	username := aws.ToString(authDataValue.Username)
+	password := aws.ToString(authDataValue.Password)
 
 	if username == "" {
 		return registry.AuthConfig{}, errors.New(
@@ -117,15 +119,15 @@ func extractASMValue(out *secretsmanager.GetSecretValueOutput) (registry.AuthCon
 }
 
 func GetSecretFromASMWithInput(input *secretsmanager.GetSecretValueInput,
-	client secretsmanageriface.SecretsManagerAPI, jsonKey string) (string, error) {
+	client SecretsManagerAPI, jsonKey string) (string, error) {
 	secretID := *input.SecretId
-	out, err := client.GetSecretValue(input)
+	out, err := client.GetSecretValue(context.TODO(), input)
 	if err != nil {
 		return "", errors.Wrap(err, augmentErrMsg(secretID, err))
 	}
 
 	if jsonKey == "" {
-		return aws.StringValue(out.SecretString), nil
+		return aws.ToString(out.SecretString), nil
 	}
 
 	secretMap := make(map[string]interface{})
@@ -146,15 +148,15 @@ func GetSecretFromASMWithInput(input *secretsmanager.GetSecretValueInput,
 
 // GetSecretFromASM makes the api call to the AWS Secrets Manager service to
 // retrieve the secret value
-func GetSecretFromASM(secretID string, client secretsmanageriface.SecretsManagerAPI) (string, error) {
+func GetSecretFromASM(secretID string, client SecretsManagerAPI) (string, error) {
 	in := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(secretID),
 	}
 
-	out, err := client.GetSecretValue(in)
+	out, err := client.GetSecretValue(context.TODO(), in)
 	if err != nil {
 		return "", errors.Wrapf(err, "secret %s", secretID)
 	}
 
-	return aws.StringValue(out.SecretString), nil
+	return aws.ToString(out.SecretString), nil
 }

Diff for: agent/asm/asm_test.go

@@ -21,9 +21,11 @@ import (
 	"testing"
 
 	mocks "github.com/aws/amazon-ecs-agent/agent/asm/mocks"
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/service/secretsmanager"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+	"github.com/aws/smithy-go"
 	"github.com/golang/mock/gomock"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
@@ -109,7 +111,7 @@ func TestASMGetAuthConfig(t *testing.T) {
 		t.Run(c.Name, func(t *testing.T) {
 			mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 			mockSecretsManager.EXPECT().
-				GetSecretValue(gomock.Any()).
+				GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 				Return(c.Resp, nil)
 
 			_, err := GetDockerAuthFromASM("secret-value-id", mockSecretsManager)
@@ -129,7 +131,7 @@ func TestGetSecretFromASM(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(secretValue),
 		}, nil)
@@ -144,7 +146,7 @@ func TestGetSecretFromASMWithJsonKey(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(jsonSecretValue),
 		}, nil)
@@ -160,7 +162,7 @@ func TestGetSecretFromASMWithMalformedJSON(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(malformedJsonSecretValue),
 		}, nil)
@@ -177,7 +179,7 @@ func TestGetSecretFromASMWithJSONKeyNotFound(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(jsonSecretValue),
 		}, nil)
@@ -194,7 +196,7 @@ func TestGetSecretFromASMWithVersionID(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(secretValue),
 		}, nil)
@@ -211,7 +213,7 @@ func TestGetSecretFromASMWithVersionIDAndStage(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&secretsmanager.GetSecretValueOutput{
 			SecretString: aws.String(secretValue),
 		}, nil)
@@ -243,16 +245,19 @@ func TestGetSecretFromASMWithInputErrorMessageKnownError(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
-		Return(nil, awserr.New(secretsmanager.ErrCodeResourceNotFoundException, "Secrets Manager can't find the specified secret.", nil))
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil, &types.ResourceNotFoundException{
+			Message: aws.String("Secrets Manager can't find the specified secret"),
+		})
 
 	secretValueInput := createSecretValueInput(toPtr(valueFrom), toPtr(versionID), nil)
 	_, err := GetSecretFromASMWithInput(secretValueInput, mockSecretsManager, jsonKey)
 
 	assert.Error(t, err)
-	aerr, ok := errors.Cause(err).(awserr.Error)
-	require.True(t, ok, "error is not of type awserr.Error")
-	assert.Equal(t, secretsmanager.ErrCodeResourceNotFoundException, aerr.Code())
+	var ae smithy.APIError
+	ok := errors.As(err, &ae)
+	require.True(t, ok, "error is not of type smithy.APIError")
+	assert.Equal(t, (&types.ResourceNotFoundException{}).ErrorCode(), ae.ErrorCode())
 	assert.Contains(t, err.Error(), fmt.Sprintf("ResourceNotFoundException: The task can't retrieve the secret with ARN '%s' from AWS Secrets Manager. Check whether the secret exists in the specified Region", valueFrom))
 }
 
@@ -262,15 +267,19 @@ func TestGetSecretFromASMWithInputErrorMessageUnknownError(t *testing.T) {
 
 	mockSecretsManager := mocks.NewMockSecretsManagerAPI(ctrl)
 	mockSecretsManager.EXPECT().
-		GetSecretValue(gomock.Any()).
-		Return(nil, awserr.New(secretsmanager.ErrCodeInternalServiceError, "uhoh", nil))
+		GetSecretValue(gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil, &types.InternalServiceError{
+			Message: aws.String("uhoh"),
+		})
 
 	secretValueInput := createSecretValueInput(toPtr(valueFrom), toPtr(versionID), nil)
 	_, err := GetSecretFromASMWithInput(secretValueInput, mockSecretsManager, jsonKey)
 
 	assert.Error(t, err)
-	aerr, ok := errors.Cause(err).(awserr.Error)
-	require.True(t, ok, "error is not of type awserr.Error")
-	assert.Equal(t, secretsmanager.ErrCodeInternalServiceError, aerr.Code())
+	var ae smithy.APIError
+	ok := errors.As(err, &ae)
+	require.True(t, ok, "error is not of type smithy.APIError")
+
+	assert.Equal(t, (&types.InternalServiceError{}).ErrorCode(), ae.ErrorCode())
 	assert.Contains(t, err.Error(), fmt.Sprintf("secret %s: InternalServiceError: uhoh", valueFrom))
 }